Solved: Re: Need Time_Format value

VijaySrrie · ‎06-24-2020

Hi, I have two different time values 2020-06-24 03:07:39,997Z 2020-06-24 03:07:39.990Z The first value has a comma(,) and the second value has a dot(.) How can I parse both the values. Any documentation on this?

gcusello · ‎06-24-2020

Hi @VijaySrrie ,

you can leave Splunk to use the correct Time format without forcing a TIME_FORMAT in props.conf.

If Splunk doesn't know one of them add it to datetime.xml following the instructions at https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Data/Configuredatetimexml

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-24-2020

Hi @VijaySrrie ,

you can leave Splunk to use the correct Time format without forcing a TIME_FORMAT in props.conf.

If Splunk doesn't know one of them add it to datetime.xml following the instructions at https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Data/Configuredatetimexml

Ciao.

Giuseppe

gcusello · ‎07-02-2020

Hi @VijaySrrie ,

Perfect!

If you appreciate this solution you can also leave a Karma Point .

Ciao and next time.

Giuseppe

kamlesh_vaghela · ‎06-24-2020

@VijaySrrie

You can go through this link.

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Commontimeformatvariables

Please check my sample search with your provided data.

| makeresults | eval date="2020-06-24 03:07:39,997Z|2020-06-24 03:07:39.990Z" , date=split(date,"|") | mvexpand date | eval epochtime = strptime(date,"%Y-%m-%d %M:%H:%S,%3QZ")  | eval ReIterated = strftime(epochtime,"%Y-%m-%d %M:%H:%S,%3QZ") | table date epochtime ReIterated

Hope this will help you.

Thanks
Kamlesh Vaghela

Need Time_Format value

time

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor